I am trying to on board Retina logs through HTTP Event Collector, however I am not having any luck on it.
Firewall has been opened, and I can see it being allowed, but it is not reaching the HEC.
We can see the below error when we try
SplunkClient.SendApiRequest failed with error 'The remote server returned an error:(404) Not Found'.
Not sure where the issue is, we have tried couple of different end points. However, I can use curl to send data. Has anyone on boarded data through HTTP Event Collector for BeyondTrust Retina?
Has there been any update on this?
Yeah we finally got it working. It was firewall issue.
How did you configure BeyondTrust to send via the HTTP Event Collector?
Or do you have a link to any documentation?
Well, I don't own Beyond Trust application. However, they provided me access to console to troubleshoot. I just needed to add the following on the configuration page of BT
Host Name:
Port:
Splunk Index:
Splunk Sourcetype:
Splunk Source:
Then at the bottom they had a panel to checkmark what to send or something similar
Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to
No. It was under Configure -> Connectors
Do you have that options? I got access through the webpage, not the actual console
I believe we are on an older version, working to get it updated now. Are you using a TA for the props / transforms or just built your extractions custom?
I don't have any props or transforms as of now.
I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!
Yeah time is off. Haven't had time to do a research on how to fix it. Props doesn't work either.
But one thing I noticed was test didn't have issues as the logs didn't have any time on it. So it took indexing time. But the real logs have time, and gets screwed.
I Agree. Have had similar issues